On 16/11/16 22:58, Craig_Weeks@xxxxxxxxxxxxxx wrote: > I am an OpenSSL neophyte, so please bear with me if the answer is > obvious in the documentation. > > > > Our product is going to provide runtime options to the user to enable > and disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For example: > today enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1 and 1.2, > disable 1.0. > > > > How do I use the available APIs to toggle the availability of these > versions of TLS at runtime (as opposed to some compile time switch that > permanently removes support for 1 or more versions)? I want these > settings to apply to all new connections after they have been enabled or > disabled. The preferred way to do this is using SSL_CTX_set_max_proto_version() and SSL_CTX_set_min_proto_version(): https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_max_proto_version.html Note these macros are only available in OpenSSL 1.1.0. If you need something that will work in OpenSSL 1.0.2 and 1.1.0 then you can use SSL_CTX_set_options() to disable specific protocol versions: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html Note: your example of "enable 1.0 and 1.2, disable 1.1" would be strongly discouraged. You are encouraged to only allow a contiguous set of protocol versions without any "holes". It is possible to do this with SSL_CTX_set_options() although you may get some unpredictable results around version negotiation. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
